From owner-freebsd-security  Mon Mar  4 18:19: 4 2002
Delivered-To: freebsd-security@freebsd.org
Received: from pstis.com (196.216-123-202-0.interbaun.com [216.123.202.196])
	by hub.freebsd.org (Postfix) with SMTP id 510AE37B41C
	for <freebsd-security@freebsd.org>; Mon,  4 Mar 2002 18:18:45 -0800 (PST)
Received: (qmail 89887 invoked from network); 5 Mar 2002 01:51:35 -0000
Received: from unknown (HELO there) (216.123.202.195)
  by 0 with SMTP; 5 Mar 2002 01:51:35 -0000
Content-Type: text/plain;
  charset="iso-8859-1"
From: "Dalin S. Owen" <dowen@pstis.com>
Reply-To: dowen@pstis.com
Organization: Packetstorm Technologies
To: freebsd-security@freebsd.org
Subject: ESP + IPFW
Date: Mon, 4 Mar 2002 18:15:16 -0700
X-Mailer: KMail [version 1.3.2]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-Id: <20020305021845.510AE37B41C@hub.freebsd.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


I have IPsec running between two FreeBSD machines (over an 802.11b link), 
they are manually keyed (not using an IKE daemon).  First question, is it 
more secure to use an IKE?  I mean, doesn't it rotate keys, instead of just 
using static ones?  And if I use an IKE, can those generated keys be sniffed, 
or are they encrypted with the last key?

Now, another issue.  I have the following rules on each machine with ipfw (I 
am only going to show the relevant ones for simplicity): 

#nat box (I have a seperate interface for the 802.11 AP)
ipfw add 10 allow esp from any to any via dc1
#this stops anyone from using my AP
ipfw add 20 deny ip from any to any via dc1

#workstation
ipfw add 10 allow esp from any to any

Now, everything works fine.  But I would like to be able to firewall the 
packets *after* they are translated by IPSec (ESP)  with IPFW?  How would I 
do that?  They seem to only pass into IPFW once, not twice..  Can you run IPF 
with IPFW to do it, and in that case which firewalling system gets matched 
first?

Thanks!
Dalin Owen

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message